What is account takeover (ATO)?

Account takeover occurs when attackers gain control of legitimate accounts. Using stolen credentials, attackers access victim accounts for: sending malicious email, accessing sensitive data, financial fraud, and impersonating the victim.

Email account takeover is particularly damaging. Attackers can: send phishing from trusted addresses, access password reset links for other services, read sensitive communications, and modify forwarding rules for persistent access.

Detection signs: unexpected password resets, unfamiliar sent messages, login from unusual locations, and new forwarding rules. Prevention: strong unique passwords, multi-factor authentication, and monitoring for suspicious activity.